Profile Applicability:

  • Level 1

Description:

Security Groups in AWS control inbound and outbound traffic to EC2 instances. Each security group has ingress rules (for incoming traffic) and egress rules (for outgoing traffic). AWS allows security groups to have multiple rules, but having more than 50 ingress or egress rules in a security group can indicate overly permissive access or overly complex network configurations. This SOP helps to identify any security groups that have more than 50 rules, which could be an indication of misconfiguration or unnecessary exposure.

Rationale:

Having an excessive number of rules in a security group can increase complexity and potentially lead to security risks. Large numbers of rules can also make it difficult to manage and audit security configurations effectively. Identifying and reviewing security groups with a high number of rules helps to streamline security policies and minimize unnecessary access.

Impact:

Pros:

  • Helps identify overly permissive security groups or complex configurations that may need to be simplified.

  • Improves security posture by ensuring that security groups are appropriately scoped.

  • Auditing and compliance reviews can be easier with fewer and more focused rules.

Cons:

  • Some use cases (e.g., large-scale applications) may require complex security group configurations.

  • Overhauling security groups with large rule sets might disrupt existing services, requiring careful planning.

Default Value:

By default, security groups in AWS may have few rules, but they can grow to have many rules as the system evolves or as complex access control requirements arise.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeSecurityGroups

    • ec2:DescribeInstances

    • ec2:DescribeNetworkInterfaces

  • AWS CLI installed and configured.

  • Basic understanding of security groups and networking in AWS.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

   

  1. In the left-hand navigation pane, select Security Groups under Network & Security.

             

  1. For each security group, review the Inbound Rules and Outbound Rules.

   

  1. Count the number of rules in both Ingress and Egress sections.

    • If any security group has more than 50 rules in either section, this will be flagged for review.

     

Using AWS CLI:

To list all security groups and their associated ingress and egress rules, use the following command:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,IngressRules:IpPermissions,EgressRules:IpPermissions}' --output json

Parse the output to find security groups with more than 50 rules in either IngressRules or EgressRules. The output will contain a list of security groups along with the details of their inbound and outbound rules.

 Example of a parsed output:

[

  {

    "ID": "sg-0123456789abcdef0",

    "IngressRules": [ /* List of 51 ingress rules */ ],

    "EgressRules": [ /* List of 45 egress rules */ ]

  },

  {

    "ID": "sg-9876543210fedcba0",

    "IngressRules": [ /* List of 48 ingress rules */ ],

    "EgressRules": [ /* List of 52 egress rules */ ]

  }

]

If a security group has more than 50 rules, either in IngressRules or EgressRules, it should be flagged for further review.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

   

  1. Go to Security Groups under Network & Security.

           

  1. Review the Inbound Rules and Outbound Rules for each security group:

       

  • Count the number of rules in Ingress and Egress.

  • Flag or note security groups with more than 50 rules for review and optimization.

Using AWS CLI:

Run the following command to get a detailed list of security groups and their rules

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,IngressRules:IpPermissions,EgressRules:IpPermissions}' --output json

Review the output and identify any security groups with more than 50 rules in either the Ingress or Egress sections.

Backout Plan:

If reviewing security groups with large numbers of rules requires changes that impact functionality, revert the changes as follows:

Identify the affected security group and its associated rules.

Restore the rules by adding back any necessary rules that were removed:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port <port> --cidr <ip-range>

aws ec2 authorize-security-group-egress --group-id <group-id> --protocol tcp --port <port> --cidr <ip-range>

Verify that the restored rules have been applied and the EC2 instance is functioning as expected.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.